From: Greg Kroah-Hartman Date: Fri, 15 Nov 2024 05:24:35 +0000 (+0100) Subject: 6.6-stable patches X-Git-Tag: v4.19.324~15 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d4ba532b9e337246d461e6e2cd4d5488d21e28c2;p=thirdparty%2Fkernel%2Fstable-queue.git 6.6-stable patches added patches: io_uring-fix-possible-deadlock-in-io_register_iowq_max_workers.patch mm-krealloc-fix-mte-false-alarm-in-__do_krealloc.patch --- diff --git a/queue-6.6/io_uring-fix-possible-deadlock-in-io_register_iowq_max_workers.patch b/queue-6.6/io_uring-fix-possible-deadlock-in-io_register_iowq_max_workers.patch new file mode 100644 index 00000000000..cd6e2c1054b --- /dev/null +++ b/queue-6.6/io_uring-fix-possible-deadlock-in-io_register_iowq_max_workers.patch @@ -0,0 +1,55 @@ +From 73254a297c2dd094abec7c9efee32455ae875bdf Mon Sep 17 00:00:00 2001 +From: Hagar Hemdan +Date: Tue, 4 Jun 2024 13:05:27 +0000 +Subject: io_uring: fix possible deadlock in io_register_iowq_max_workers() + +From: Hagar Hemdan + +commit 73254a297c2dd094abec7c9efee32455ae875bdf upstream. + +The io_register_iowq_max_workers() function calls io_put_sq_data(), +which acquires the sqd->lock without releasing the uring_lock. +Similar to the commit 009ad9f0c6ee ("io_uring: drop ctx->uring_lock +before acquiring sqd->lock"), this can lead to a potential deadlock +situation. + +To resolve this issue, the uring_lock is released before calling +io_put_sq_data(), and then it is re-acquired after the function call. + +This change ensures that the locks are acquired in the correct +order, preventing the possibility of a deadlock. + +Suggested-by: Maximilian Heyne +Signed-off-by: Hagar Hemdan +Link: https://lore.kernel.org/r/20240604130527.3597-1-hagarhem@amazon.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + io_uring/io_uring.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/io_uring/io_uring.c ++++ b/io_uring/io_uring.c +@@ -4358,8 +4358,10 @@ static __cold int io_register_iowq_max_w + } + + if (sqd) { ++ mutex_unlock(&ctx->uring_lock); + mutex_unlock(&sqd->lock); + io_put_sq_data(sqd); ++ mutex_lock(&ctx->uring_lock); + } + + if (copy_to_user(arg, new_count, sizeof(new_count))) +@@ -4384,8 +4386,11 @@ static __cold int io_register_iowq_max_w + return 0; + err: + if (sqd) { ++ mutex_unlock(&ctx->uring_lock); + mutex_unlock(&sqd->lock); + io_put_sq_data(sqd); ++ mutex_lock(&ctx->uring_lock); ++ + } + return ret; + } diff --git a/queue-6.6/mm-krealloc-fix-mte-false-alarm-in-__do_krealloc.patch b/queue-6.6/mm-krealloc-fix-mte-false-alarm-in-__do_krealloc.patch new file mode 100644 index 00000000000..8c52d9e011b --- /dev/null +++ b/queue-6.6/mm-krealloc-fix-mte-false-alarm-in-__do_krealloc.patch @@ -0,0 +1,75 @@ +From 704573851b51808b45dae2d62059d1d8189138a2 Mon Sep 17 00:00:00 2001 +From: Qun-Wei Lin +Date: Fri, 25 Oct 2024 16:58:11 +0800 +Subject: mm: krealloc: Fix MTE false alarm in __do_krealloc + +From: Qun-Wei Lin + +commit 704573851b51808b45dae2d62059d1d8189138a2 upstream. + +This patch addresses an issue introduced by commit 1a83a716ec233 ("mm: +krealloc: consider spare memory for __GFP_ZERO") which causes MTE +(Memory Tagging Extension) to falsely report a slab-out-of-bounds error. + +The problem occurs when zeroing out spare memory in __do_krealloc. The +original code only considered software-based KASAN and did not account +for MTE. It does not reset the KASAN tag before calling memset, leading +to a mismatch between the pointer tag and the memory tag, resulting +in a false positive. + +Example of the error: +================================================================== +swapper/0: BUG: KASAN: slab-out-of-bounds in __memset+0x84/0x188 +swapper/0: Write at addr f4ffff8005f0fdf0 by task swapper/0/1 +swapper/0: Pointer tag: [f4], memory tag: [fe] +swapper/0: +swapper/0: CPU: 4 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.12. +swapper/0: Hardware name: MT6991(ENG) (DT) +swapper/0: Call trace: +swapper/0: dump_backtrace+0xfc/0x17c +swapper/0: show_stack+0x18/0x28 +swapper/0: dump_stack_lvl+0x40/0xa0 +swapper/0: print_report+0x1b8/0x71c +swapper/0: kasan_report+0xec/0x14c +swapper/0: __do_kernel_fault+0x60/0x29c +swapper/0: do_bad_area+0x30/0xdc +swapper/0: do_tag_check_fault+0x20/0x34 +swapper/0: do_mem_abort+0x58/0x104 +swapper/0: el1_abort+0x3c/0x5c +swapper/0: el1h_64_sync_handler+0x80/0xcc +swapper/0: el1h_64_sync+0x68/0x6c +swapper/0: __memset+0x84/0x188 +swapper/0: btf_populate_kfunc_set+0x280/0x3d8 +swapper/0: __register_btf_kfunc_id_set+0x43c/0x468 +swapper/0: register_btf_kfunc_id_set+0x48/0x60 +swapper/0: register_nf_nat_bpf+0x1c/0x40 +swapper/0: nf_nat_init+0xc0/0x128 +swapper/0: do_one_initcall+0x184/0x464 +swapper/0: do_initcall_level+0xdc/0x1b0 +swapper/0: do_initcalls+0x70/0xc0 +swapper/0: do_basic_setup+0x1c/0x28 +swapper/0: kernel_init_freeable+0x144/0x1b8 +swapper/0: kernel_init+0x20/0x1a8 +swapper/0: ret_from_fork+0x10/0x20 +================================================================== + +Fixes: 1a83a716ec233 ("mm: krealloc: consider spare memory for __GFP_ZERO") +Signed-off-by: Qun-Wei Lin +Acked-by: David Rientjes +Signed-off-by: Vlastimil Babka +Signed-off-by: Greg Kroah-Hartman +--- + mm/slab_common.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/mm/slab_common.c ++++ b/mm/slab_common.c +@@ -1391,7 +1391,7 @@ __do_krealloc(const void *p, size_t new_ + /* Zero out spare memory. */ + if (want_init_on_alloc(flags)) { + kasan_disable_current(); +- memset((void *)p + new_size, 0, ks - new_size); ++ memset(kasan_reset_tag(p) + new_size, 0, ks - new_size); + kasan_enable_current(); + } + diff --git a/queue-6.6/series b/queue-6.6/series index 5beb446c9c4..e5c8e5a0be2 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -37,3 +37,5 @@ loongarch-use-exception-return-address-to-comment-er.patch asoc-fsl_micfil-add-sample-rate-constraint.patch net-usb-qmi_wwan-add-fibocom-fg132-0x0112-compositio.patch bpf-check-validity-of-link-type-in-bpf_link_show_fdi.patch +io_uring-fix-possible-deadlock-in-io_register_iowq_max_workers.patch +mm-krealloc-fix-mte-false-alarm-in-__do_krealloc.patch